IT Vendor Management Checklist

Capture the requesting team, the workflow being replaced or augmented, expected user count, and which data classes will live in the system (PII, PHI, cardholder, source code, financial). The data-class answer drives everything in the security review — get it pinned before shortlisting.

Three is the floor — single-vendor evaluations don't survive procurement scrutiny. Pull candidates from peer recommendations, Gartner/Forrester, and existing-stack adjacencies. Note incumbent renewal pricing as the baseline to beat.

Type II — not Type I, not the bridge letter alone. Read the exceptions section, not just the auditor's opinion. If the vendor only has ISO 27001 or a self-attestation, escalate to security leadership before proceeding; for healthcare workloads also request HIPAA attestation.

Vendor-supplied references are pre-screened — supplement with peer contacts from your MSP peer group, ASCII, or local IT leader Slack. Ask specifically about support response times, breach communication, and renewal-pricing behavior.

Use CSA CAIQ for cloud-native vendors or Shared Assessments SIG-Lite for general SaaS. Don't accept marketing-page answers — require evidence references back to the SOC 2 or to specific control documentation.

Verify encryption at rest (AES-256) and in transit (TLS 1.2+), the AWS/Azure/GCP region(s) where data is stored, and the full sub-processor list. EU customer data in a US region without SCCs is a Schrems II problem; flag it now, not at contract.

BAA required if the vendor will touch PHI for a covered-entity client. DPA required for EU/UK/CA personal data under GDPR/UK-GDPR/CCPA. Confirm the vendor will sign their template — some refuse, which is a deal-breaker for regulated workloads.

SAML 2.0 or OIDC for SSO with Entra ID, Okta, or JumpCloud is table-stakes. SCIM 2.0 for identity lifecycle is the difference between automatic deprovisioning at offboarding and a forgotten orphan account 90 days later. Vendors that gate SSO behind a premium tier ("SSO tax") are a real budget surprise — flag it.

For SaaS subscriptions: named modules, user tiers, and any usage caps. For services or implementation: written acceptance criteria the vendor must hit before final invoice. "As scoped" without acceptance criteria is how implementation projects slip into year two.

Standard SaaS uptime SLA is 99.9% (≈8.7 hours/year of downtime). Service credits are often capped at 10–25% of monthly fee — meaningless for a 4-hour outage that costs the business six figures. Push for credits proportional to actual impact, and exclude scheduled maintenance carve-outs that are too generous.

Breach notification: 72 hours from confirmed incident, in writing, with named contact. Audit rights: ability to request the next SOC 2 report, plus right to question new findings. For BAA-bound vendors, breach terms align to HIPAA's 60-day requirement.

Legal reviews liability caps, indemnification, IP ownership, and auto-renewal language. Auto-renew with 90-day notice-to-cancel is the most common buried clause — get it changed to 30 days or removed. Attach the fully executed contract and any signed BAA/DPA addenda.

Production data must not flow until the BAA or DPA is countersigned and filed. "We'll get to it next week" is how covered entities end up with PHI at an uncovered processor — a reportable HIPAA exposure on day one.

Set up the SAML app, scope user assignment to a security group (not "all users"), enforce MFA at the IdP, and disable the vendor's local-password login path once SSO is verified. Leaving local logins active alongside SSO is how MFA bypass happens.

SCIM token from the vendor, configured in the IdP, with group-based assignment driving role mapping. Test create, update, and deprovision flows with a pilot user before flipping the org-wide assignment.

Capture vendor portal URL, account number, support contacts (named human + portal), admin credentials in the password vault, SSO/SCIM configuration notes, renewal date, and the executed contract link. The point is that any technician on the team can answer a vendor question without paging the original owner.

In ConnectWise PSA, Autotask, or HaloPSA: vendor record, product/agreement, and renewal-reminder cadence at 90/60/30 days before renewal. License count tracked against active SCIM-provisioned users — true-up surprises usually come from drift between the two.

Pull the vendor's status-page history or monthly SLA report. Cross-reference against your own incident tickets — vendors rarely post incidents that affected only your tenant. File any SLA breaches for service-credit claims; most credits are not auto-applied, you have to ask.

QBR agenda: usage trends, support ticket volume and MTTR, roadmap items relevant to your stack, security posture changes (new sub-processors, new certifications), and renewal-window pricing signals. The vCIO or IT manager owns this; technicians attend for technical depth.

Sixty days before renewal — earlier than the auto-renewal notice window. Score against the original requirements, factor in migration cost vs. switching benefit, and pressure-test renewal pricing against current market quotes from two named alternatives.

Trigger the contractual data-return clause (export format, delivery method, deletion certificate). Disable SCIM provisioning, remove the SSO app assignment, archive the IT Glue/Hudu record, and close the PSA agreement. A 30-day post-termination audit confirms no orphan access remains.